1e46760fc8670003204bdc3222236fdc00a21ffa4eeb2d0f7053ae74f584ef80

General

Target

rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
Size

172KB
MD5

b2967a3ca6cfebc2e66f4c69d19dc055
SHA1

8832ee55e68abeb97738f4a62063860686246474
SHA256

9c4853fb813000f747396db86faea3122e6f7395f600bef9b3bc5f6eea133a9b
SHA512

00be2036a0fae86686f5de9c86f861fa534b52357636618adfb80c8edaf4ac9110fd6cca76fd7d9774ad090e0e3b2bc2d2ed71e314a4c147be8dc64c888f6e6e
SSDEEP

3072:M5AvWhLGWKpp91HMGGCPwqMBV/oFPUNuG:QSWhLG5fBRPSyF

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\metlqowx.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\metlqowx.exe\""	Explorer.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 880 set thread context of 1540	880	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe	80

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4736	3308	WerFault.exe	65

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\shell\printto\command	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\shell	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RECHNU~1.EXE \"%1\""	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\shell\print\command	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\ = "Tif Document"	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\shell\open\command	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\shell\print	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\shell\printto	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\shell\printto\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RECHNU~1.EXE /pt \"%1\" \"%2\" \"%3\" \"%4\""	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RECHNU~1.EXE,0"	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\shell\open	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\shell\print\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RECHNU~1.EXE /p \"%1\""	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\DefaultIcon	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
880	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
880	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
880	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
880	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
880	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
880	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
1540	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
1540	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
2228	Explorer.EXE
2228	Explorer.EXE
2228	Explorer.EXE
2228	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2228	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1540	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
Token: SeDebugPrivilege	2228	Explorer.EXE
Token: SeShutdownPrivilege	2228	Explorer.EXE
Token: SeCreatePagefilePrivilege	2228	Explorer.EXE
Token: SeShutdownPrivilege	3512	RuntimeBroker.exe
Token: SeShutdownPrivilege	3512	RuntimeBroker.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
880	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
880	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 1540	880	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe	80
PID 880 wrote to memory of 1540	880	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe	80
PID 880 wrote to memory of 1540	880	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe	80
PID 880 wrote to memory of 1540	880	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe	80
PID 880 wrote to memory of 1540	880	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe	80
PID 880 wrote to memory of 1540	880	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe	80
PID 880 wrote to memory of 1540	880	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe	80
PID 880 wrote to memory of 1540	880	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe	80
PID 880 wrote to memory of 1540	880	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe	80
PID 1540 wrote to memory of 3184	1540	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe	81
PID 1540 wrote to memory of 3184	1540	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe	81
PID 1540 wrote to memory of 3184	1540	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe	81
PID 1540 wrote to memory of 2228	1540	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe	66
PID 2228 wrote to memory of 2372	2228	Explorer.EXE	16
PID 2228 wrote to memory of 2380	2228	Explorer.EXE	18
PID 2228 wrote to memory of 2476	2228	Explorer.EXE	17
PID 2228 wrote to memory of 3108	2228	Explorer.EXE	42
PID 2228 wrote to memory of 3308	2228	Explorer.EXE	65
PID 2228 wrote to memory of 3404	2228	Explorer.EXE	43
PID 2228 wrote to memory of 3512	2228	Explorer.EXE	44
PID 2228 wrote to memory of 3620	2228	Explorer.EXE	63
PID 2228 wrote to memory of 3824	2228	Explorer.EXE	62
PID 2228 wrote to memory of 4700	2228	Explorer.EXE	61
PID 2228 wrote to memory of 1540	2228	Explorer.EXE	80
PID 2228 wrote to memory of 3184	2228	Explorer.EXE	81
PID 2228 wrote to memory of 384	2228	Explorer.EXE	82

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2372

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3108

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3404

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3512

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4700

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3824

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3620

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3308
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3308 -s 996
  2⤵
  - Program crash
  PID:4736

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Users\Admin\AppData\Local\Temp\rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
  "C:\Users\Admin\AppData\Local\Temp\rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:880
- - C:\Users\Admin\AppData\Local\Temp\rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
    C:\Users\Admin\AppData\Local\Temp\rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1540
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS6752~1.BAT"
      4⤵
      PID:3184
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:384

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 3308 -ip 3308
1⤵
PID:1736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms6752673.bat

Filesize
201B

MD5
a249f8582bd100301275e51db3ec42b7

SHA1
e62e23cb91f6d9e0c1e0153fb54b1beb77f01ac2

SHA256
6ee6031e370011b39c6588c1a0273e7286657b919dc09a25b065c74974b07a78

SHA512
12ac1b6b5e258575545717b43c80fd1ad3fa6135a99a343f2ae9a27515d4e652904d2b10b991e70d974bbf023b6e31cffee06ba3ca00228c35d258fd171ccf9e

Download Submit
memory/384-149-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

Filesize
64KB

Download
memory/384-153-0x000001B8BE660000-0x000001B8BE677000-memory.dmp

Filesize
92KB

Download
memory/880-134-0x0000000000BE0000-0x0000000000BE4000-memory.dmp

Filesize
16KB

Download
memory/1540-133-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1540-136-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1540-137-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1540-140-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2228-163-0x00000000008A0000-0x00000000008B7000-memory.dmp

Filesize
92KB

Download
memory/2228-139-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

Filesize
64KB

Download
memory/2228-155-0x00000000008A0000-0x00000000008B7000-memory.dmp

Filesize
92KB

Download
memory/2372-154-0x000002002A000000-0x000002002A017000-memory.dmp

Filesize
92KB

Download
memory/2372-141-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

Filesize
64KB

Download
memory/2380-142-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

Filesize
64KB

Download
memory/2380-156-0x0000020E9CD00000-0x0000020E9CD17000-memory.dmp

Filesize
92KB

Download
memory/2476-144-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

Filesize
64KB

Download
memory/2476-157-0x000001E4D0560000-0x000001E4D0577000-memory.dmp

Filesize
92KB

Download
memory/3108-143-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

Filesize
64KB

Download
memory/3108-158-0x0000020E5B120000-0x0000020E5B137000-memory.dmp

Filesize
92KB

Download
memory/3184-150-0x0000000037210000-0x0000000037220000-memory.dmp

Filesize
64KB

Download
memory/3184-152-0x0000000000660000-0x0000000000674000-memory.dmp

Filesize
80KB

Download
memory/3404-145-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

Filesize
64KB

Download
memory/3404-159-0x0000018555540000-0x0000018555557000-memory.dmp

Filesize
92KB

Download
memory/3512-147-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

Filesize
64KB

Download
memory/3512-161-0x00000129A2F30000-0x00000129A2F47000-memory.dmp

Filesize
92KB

Download
memory/3824-146-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

Filesize
64KB

Download
memory/3824-160-0x000002410A3C0000-0x000002410A3D7000-memory.dmp

Filesize
92KB

Download
memory/4700-148-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

Filesize
64KB

Download
memory/4700-162-0x0000026885640000-0x0000026885657000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing